Return-Path: X-Original-To: apmail-hbase-user-archive@www.apache.org Delivered-To: apmail-hbase-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D6FEB11F6C for ; Wed, 2 Jul 2014 05:16:56 +0000 (UTC) Received: (qmail 70464 invoked by uid 500); 2 Jul 2014 05:16:55 -0000 Delivered-To: apmail-hbase-user-archive@hbase.apache.org Received: (qmail 70392 invoked by uid 500); 2 Jul 2014 05:16:55 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 70380 invoked by uid 99); 2 Jul 2014 05:16:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 05:16:54 +0000 X-ASF-Spam-Status: No, hits=2.4 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of anilgupta84@gmail.com designates 209.85.192.45 as permitted sender) Received: from [209.85.192.45] (HELO mail-qg0-f45.google.com) (209.85.192.45) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2014 05:16:52 +0000 Received: by mail-qg0-f45.google.com with SMTP id a108so4242710qge.32 for ; Tue, 01 Jul 2014 22:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=9wIYn2HbVyvoxBGUReA6M2j317QsadNuVilntGy6mRM=; b=g6ccrLSznTWhRgu5JUtfCDZTuCG3zErSbSI2OBhZr/q3QTVxGYSf4BIU8PkSwQsl8z FszLjA0XWKge4PzGAvOT5+2IFs7XVJ7R4gQrt3iSrwE3fq+zfpx7Xgaas99WUU93qTDy zUNxbC6xTxx+6RthNGEGa7fN8+PCHveCLpODSw+qjupYnirVAaOhxjLAP2TfUd+WdoJm Uyfna8bdqBlJdlwbbCjWnS0ApHuyB/HZGlejew6gccFJeYFwKd2joR3gNr9dnHHOHxX0 lmyGGgfWMwJtEZtuEUTIQhkYePDFfdAG7HmqFCG1YPGYrI29zv8GHtFU6evTnkwWIUbR PI7w== X-Received: by 10.224.2.196 with SMTP id 4mr70407683qak.60.1404278188038; Tue, 01 Jul 2014 22:16:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.87.199 with HTTP; Tue, 1 Jul 2014 22:16:07 -0700 (PDT) In-Reply-To: References: From: anil gupta Date: Tue, 1 Jul 2014 22:16:07 -0700 Message-ID: Subject: Re: problem access security hbase To: "user@hbase.apache.org" Content-Type: multipart/alternative; boundary=001a11c3bfde90630304fd2efe87 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c3bfde90630304fd2efe87 Content-Type: text/plain; charset=UTF-8 Hi Cheney, If you are using a java client and using kinit way to login then i don't have much idea about handling long running clients. We run long running clients using UserGroupInformation to login to cluster. I dont know the very specifics but it think there is a kerberos setting where you can setup in such a way that Ticket auto-renews. We run this client ranging from 2-4 weeks without any problem of security. Hope this helps. Thanks, Anil Gupta On Tue, Jul 1, 2014 at 7:12 PM, Cheney Sun wrote: > Thanks Gary, Anil. > > Add this statement 'UserGroupInformation.setConfiguration(hbaseConf);' can > resolve the problem. > > I'm using the kinit way to login KDC. But I wonder if I switch to calling > UserGroupInformation.loginFromKeytab() in code, does it need to be > called periodically for a long running program, since the TGT obtained from > KDC will expire? > > Thanks, > Cheney > > > On Wed, Jul 2, 2014 at 1:20 AM, Gary Helmling wrote: > > > Hi Cheney, > > > > Did you obtain kerberos credentials before running your program, either > by > > calling kinit before running the program, or by calling > > UserGroupInformation.loginFromKeytab() in your code? > > > > > > On Tue, Jul 1, 2014 at 8:44 AM, Cheney Sun wrote: > > > > > Hello all, > > > > > > I have setup a security hbase/hdfs/zookeeper, which was confirmed and > > work > > > normally. > > > I wrote a Java program to get/put data to a table and package the > > > core-site.xml / hbase-site.xml (which are obtained from the secure > > cluster) > > > into the jar file, and it worked correctly. > > > > > > But when I removed the core-site.xml and hbase-site.xml from the jar, > and > > > instead, I use the Configuration API to set the relevant settings in > the > > > program as below, > > > Configuration hbaseConf = HBaseConfiguration.create(hadoopConf); > > > hbaseConf.set("hbase.zookeeper.quorum","slave-nodex"); > > > hbaseConf.set("hbase.zookeeper.property.clientPort", "2181"); > > > hbaseConf.set("hbase.rpc.engine", > > > "org.apache.hadoop.hbase.ipc.SecureRpcEngine"); > > > hbaseConf.set("hbase.security.authentication", "kerberos"); > > > hbaseConf.set("hbase.master.kerberos.principal", "hbase/_ > HOST@HADOOP.COM > > > "); > > > > hbaseConf.set("hbase.master.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > hbaseConf.set("hbase.regionserver.kerberos.principal", "hbase/_ > > > HOST@HADOOP.COM "); > > > > > > > > > hbaseConf.set("hbase.regionserver.keytab.file","/etc/hbase/conf/hbase.keytab"); > > > hbaseConf.set("hadoop.security.authentication", "kerberos"); > > > hbaseConf.set("hadoop.security.authorization", "true"); > > > > > > It failed getting authenticated to access to the hbase with the error > > > message as: > > > org.apache.hadoop.ipc.RemoteException: Authentication is required > > > at org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:1021) > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > at > > > > > > > > > org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164) > > > ~[test-0.0.1-SNAPSHOT-jar-with-dependencies.jar:na] > > > at com.sun.proxy.$Proxy7.getProtocolVersion(Unknown Source) ~[na:na] > > > > > > It looks like the settings through API in code doesn't work. Is is a > > known > > > issue or am I wrong somewhere? > > > > > > Thanks, > > > Cheney > > > > > > -- Thanks & Regards, Anil Gupta --001a11c3bfde90630304fd2efe87--